SIFMA worried SEC’s CAT could add risk to customer information exposure

Given global data privacy concerns, protecting client personal information is mission-critical in every industry. However, when the Securities and Exchange Commission’s (SEC) Consolidated Audit Trail (CAT) is fully operational, the Securities Industry and Financial Markets Association (SIFMA) worries that the initiative does not address key implementation issues.

What CAT means for broker-dealers

A major regulatory initiative by the SEC and 24 self-regulatory organizations (SROs), including the Financial Industry Regulatory Authority (FINRA) and stock and options exchanges, CAT is expected to significantly enhance regulators’ ability to monitor and analyze trading activity. Under the CAT, broker-dealers will be required to report every equity and option transaction as well as certain personal information of retail and institutional clients to a database operated by the 24 SROs.

When completed, the CAT will become the world’s largest database of equity securities and listed options transactions, including:

• Personal information for every retail brokerage client in America – over 100 million institutional and retail accounts;
• Order details on every stock transaction in America – trades for all retail customers, pension funds, and mutual funds; and
• Order details on every options transaction in America.

Kenneth E. Bentsen, Jr., president and CEO of SIFMA, says that while the Association supports CAT and its regulatory intent, it has strong concerns regarding the risks to customer information, including the wholesale collection of personally identifiable information (PII) compiled in one place. This risk, he adds, is further compounded by permitting 24 separate organizations to bulk download and store all that data, including transactions and customer data, on their own systems, dramatically increasing exposure to data breach and theft. The CAT system potentially allows up to 3,000 users at 24 different groups to download and store the CAT data internally. And, their personnel could have unfettered access to that data.

Who is liable for risk under CAT?

The answer is unclear at this time. Bentsen says that SIFMA has argued repeatedly that transaction and customer data should be collected in a secure, controlled environment, and only the SEC and FINRA should have access to the entire database.  Further, broker-dealers and their customers should not bear the liability of such risks to their information when they are being compelled by government regulation to provide it.

But in fact, he says, the SROs are seeking to limit their liability at $500. Lastly, competing entities, of which many of the SROs are, should be strictly precluded from accessing data with any commercial intent.  It is outside the original intent of the CAT to put investors’ data and identity at risk or allow for-profit entities to potentially mine it for commercial gain under the guise of regulation.

With a consolidated database this large, Bentsen worries about security. And while the CAT itself is required to have robust and transparent security protocols, he is concerned that the CAT rules allow the SEC and all 24 SROs to download all the data onto their own systems, a force multiplier of the already considerable data risk of the CAT Processor itself.

SIFMA says control access to CAT data

According to Bentsen, SIFMA advocates that the SEC and the 24 SROs should not be permitted to download any CAT data onto their own systems. Rather, all CAT data surveillance and analysis should occur within a highly controlled, limited access analytics environment within the CAT.

He also criticizes the unwillingness of SROs responsible for operating the CAT to be accountable for any breach damages to U.S. investors. Instead, they are requiring broker-dealers reporting to the CAT agree in writing to waive any liability claims against them before firms are even allowed to begin testing.

This lose/lose situation places broker-dealers in an untenable position. Either they report to the CAT and sign away any legal protection for their customers’ data, or they remain firm in protecting customers’ data themselves and risk violating a regulatory reporting requirement. 

The Association does support a successfully designed, implemented, and secured CAT so long as the SEC and SROs take the necessary steps to protect sensitive CAT data, set reasonable limits to access, and are fully accountable for any breaches.

In the meantime, who is responsible for your client’s data?

You. And, that’s where Patrina comes in. For more than 25 years, Patrina has been helping compliance professionals like you stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective, designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & file storage, and records archiving specifically designed for the financial services community. Be smart. Be covered.Let’s talk.